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Abstract 

A protocol for computing a functionality is secure if an adversary in this protocol cannot cause more 
harm than in an ideal computation where parties give their inputs to a trusted party which returns the 
output of the functionality to all parties. In particular, in the ideal model such computation is fair - 
all parties get the output. Cleve (STOC 1986) proved that, in general, fairness is not possible without 
an honest majority. To overcome this impossibility, Gordon and Katz (Eurocrypt 2010) suggested a 
relaxed definition - 1/p-secure computation - which guarantees partial fairness. For two parties, they 
construct 1 /p-secure protocols for functionalities for which the size of either their domain or their range 
is polynomial (in the security parameter). Gordon and Katz ask whether their results can be extended to 
multiparty protocols. 

We study 1/p-secure protocols in the multiparty setting for general functionalities. Our main result is 
constructions of 1/p-secure protocols when the number of parties is constant provided that less than 2/3 
of the parties are corrupt. Our protocols require that either (1) the functionality is deterministic and the 
size of the domain is polynomial (in the security parameter), or (2) the functionality can be randomized 
and the size of the range is polynomial. If the size of the domain is constant and the functionality is 
deterministic, then our protocol is efficient even when the number of parties is 0(log log n) (where n is 
the security parameter). On the negative side, we show that when the number of parties is super-constant, 
1/p-secure protocols are not possible when the size of the domain is polynomial. 
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1 Introduction 



A protocol for computing a functionality is secure if an adversary in this protocol cannot cause more harm 
than in an ideal computation where parties give their inputs to a trusted party which returns the output of 
the functionality to all parties. This is formalized by requiring that for every adversary in the real world, 
there is an adversary in the ideal world, called simulator, such that the output of the real-world adversary 
and the simulator are indistinguishable in polynomial time. Such security can be achieved when there is a 
majority of honest parties ifloll . Secure computation is fair - all parties get the output. Cleve @ proved that, 
in general, fairness is not possible without an honest majority. 

To overcome the impossibility of |9j, Gordon and Katz ll22l suggested a relaxed definition - 1 /p-secure 
computation - which guarantees partial fairness. Informally, a protocol is 1/p-secure if for every adversary 
in the real world, there is a simulator running in the ideal world, such that the output of the real-world 
adversary and the simulator cannot be distinguished with probability greater than 1/p. For two parties, 
Gordon and Katz construct 1/p-secure protocols for functionalities whose size of either their domain or 
their range is polynomial (in the security parameter). They also give impossibility results when both the 
domain and range are super-polynomial. Gordon and Katz ask whether their results can be extended to 
multiparty protocols. We give positive and negative answers to this question. 

Previous Results. Cleve [9] proved that any protocol for coin-tossing without an honest majority cannot 
be fully secure, specifically, if the protocol has r rounds, then it is at most 1 / r-secure. Protocols with partial 
fairness, under various definitions and assumptions, have been constructed for coin-tossing ll9l [lOl l24l 141. 
for contract signing/exchanging secrets ||6l|23j[l2l|5l[Il]|71, and for general functionalities E71 [T3l l2l [TTl 
|25l[l4j|22l. We next describe the papers that are most relevant to our paper. Moran, Naor, and Segev ll24l 
construct 2-party protocols for coin tossing that are 1/ r-secure (where r is the number of rounds in the 
protocol). Gordon and Katz |[22l define 1/p-security and construct 2-party 1/p-secure protocols for every 
functionality whose size of either the domain or the range of the functionality is polynomial. Finlay, in a 
previous work H we construct multiparty protocols for coin tossing that are 0(l/r)-secure provided that 
the fraction of bad parties is slightly larger than half. In particular, our protocol is 0(l/r)-secure when the 
number of parties is constant and the fraction of bad parties is less than 2/3. 

Gordon et al. |20j showed that complete fairness is possible in the two party case for some functions. 
Gordon and Katz |fT9l showed similar results for the multiparty case. The characterization of the functions 
that can be computed with full fairness without honest majority is open. Completeness for fair computations 
has been studied in ETTl . Specifically, they show a specific function that is complete for fair two-party 
computation; this function is also complete for 1/p-secure two-party computation. 

1.1 Our Results 

We study 1/p-secure protocols in the multiparty setting. We construct two protocols for general function- 
alities assuming that the fraction of corrupt parties is less than 2/3. The first protocol is efficient when (1) 
The number of parties is constant, the functionality is deterministic, and the size of the domain of inputs is 
at most polynomial in the security parameter, or (2) The number of parties is O (log log n) (where n is the 
security parameter), the functionality is deterministic, and the size of the domain of inputs is constant. The 
second protocol is efficient when the number of parties is constant, the functionality can be randomized, and 
the size of the range of the functionality is at most polynomial in the security parameter. Our second proto- 
col does not provide correctness, i.e., in a case of premature termination, with probability of 1/ poly(n), the 
remaining active parties output a value which might be inconsistent with their inputs. In contrast, our first 
protocol provides correctness. 
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Our protocols combine ideas from the protocols of Gordon and Katz |[22l and our paper flU, both of 
which generalize the protocol of Moran, Naor, and Segev ll24l . Specifically, our protocols proceed in rounds, 
where in each round values are given to subsets of parties. There is a special round i* in the protocol. Prior to 
round i*, the values given to a subset of parties are values that can be computed from the inputs of the parties 
in this subset; staring from round i* the values are the "correct" output of the functionality. The values given 
to a subset are secret shared such that only if all parties in the subset cooperate they can reconstruct the 
value. If in some round many (corrupt) parties have aborted such that there is a majority of honest parties 
amongthe active parties, then the set of active parties reconstructs the value given to this set in the previous 
roundlJ Similar to the protocols of ll24l l22l l4l. the adversary can cause harm (e.g., bias the output of the 
functionality) only if it guesses i*; we show that in our protocols this probability is small and the protocols 
are 1/p-secure. The values in our protocols are chosen similar to ll22l . The mechanism to secret share the 
values is similar to 01, however, there are important differences in this sharing, as the sharing mechanism 
of Hi is not appropriate for 1 /p-secure computations of functionalities which depend on inputs. 

To complete the picture, we prove interesting impossibility results. We show that, in general, when the 
number of parties is super-constant, 1/p-secure protocols are not possible without honest majority when the 
size of the domain is polynomial. This impossibility result justifies the fact why in our protocols the number 
of parties is constant. We also show that, in general, when the number of parties is w(logn), 1/p-secure 
protocols are not possible without honest majority even when the size of the domain is 2. The proof of the 
impossibility result is rather simple and follows from an impossibility result of ll22l . 

Our impossibility results should be contrasted with the coin-tossing protocol of H which is an efficient 
1/p-secure protocol even when m(n), the number of parties, is polynomial in the security parameter and 
the number of bad parties is m(n)/2 + 0(1). Our results show that these parameters are not possible for 
general 1/p-secure protocols even when the size of the domain of inputs is 2. 

Open Problems. In both our impossibility results the size of the range is super-polynomial. It is open 
if there is an efficient 1/p-secure protocol when the number of parties is not constant and the size of both 
the domain and range is polynomial. In addition, the impossibility results do not rule out that the double- 
exponential dependency on the number of parties can be improved. 

The protocols of |[22l are private - the adversary cannot learn any information on the inputs of the honest 
parties (other than the information that it can learn in the ideal world of computing F). The adversary can 
only bias the output. Our first protocol is not private (that is, the adversary can learn extra information). 
However, we do not know whether the second protocol is private]! It is open if there are general multiparty 
1/p-secure protocols that are also private. 

2 Preliminaries 

A multi-party protocol with m parties is defined by m interactive probabilistic polynomial-time Turing 
machines pi, . . . ,p m . Each Turning machine, called party, has the security parameter l n as a joint input 
and a private input yj. The computation proceeds in rounds. In each round, the active parties broadcast and 
receive messages on a common broadcast channel. The number of rounds in the protocol is expressed as 
some function r(n) in the security parameter (typically, r(n) is bounded by a polynomial). At the end of 
the protocol, the (honest) parties should hold a common value w (which should be equal to an output of a 
predefined functionality). 

'As parties can abort during this reconstruction, they actually reconstruct the value of a subset of this set. 
2 The problem in our protocols is that the adversary can keep one corrupted party active, thus, the adversary can get the output 
of the honest parties. 
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In this work we consider a corrupt, static, computationally-bounded (i.e., non-uniform probabilistic 
polynomial-time) adversary that is allowed to corrupt some subset of parties. That is, before the beginning 
of the protocol, the adversary corrupts a subset of the parties and may instruct them to deviate from the 
protocol in an arbitrary way. The adversary has complete access to the internal state of each of the corrupted 
parties and fully controls the messages that they send throughout the protocol. The honest parties follow the 
instructions of the protocol. 

The parties communicate via a synchronous network, using only a broadcast channel. The adversary 
is rushing, that is, in each round the adversary hears the messages broadcast by the honest parties before 
broadcasting the messages of the corrupted parties for this round (thus, broadcast messages of the corrupted 
parties can depend on the broadcast messages of the honest parties in this round). 

Notation. For an integer I, define [£] = {1, . . . , £}. For a set J C [m], define Qj = {pj : j E J}. An 
m-party functionality F = {f n } ne ^ is a sequence of polynomial-time computable, randomized mappings 
f n : {X n ) m -> Z n , where X n = {0, l}^ (n) and Z n = {0, l} Mn) are the domain of inputs of each party 
and the range respectively; £d,£ r '■ N — > N are some fixed functions. We denote the size of the domain and 
the range of J 7 by d(n) and g(n) respectively, that is, d(n) = 2 id ^ and g(n) = 2 tr ^ n \ For a randomized 
mapping f n , the assignment w ^— f n {%i, ■ ■ ■ ,x m ) denotes the process of computing f n with the inputs 
x\, . . . , x m and with uniformly chosen random coins and assigning the output of the computation to w. If 
F is deterministic, we sometimes call it a function. We sometime omit n from functions of n (for example, 
we write d instead of d(n)). 

2.1 The Real vs. Ideal Paradigm 

The security of multiparty computation protocols is defined using the real vs. ideal paradigm. In this 
paradigm, we consider the real-world model, in which protocols are executed. We then formulate an ideal 
model for executing the task. This ideal model involves a trusted party whose functionality captures the se- 
curity requirements from the task. Finally, we show that the real-world protocol "emulates" the ideal-world 
protocol: For any real-life adversary A there exists an ideal-model adversary S (called simulator) such that 
the global output of an execution of the protocol with A in the real-world model is distributed similarly to 
the global output of running S in the ideal model. In both models there are m parties p\ , . . . , p m holding a 
common input l n and private inputs yi, . . . ,y rn respectively, where yj E X n for 1 < j < m. 

The Real Model. Let II be an m-party protocol computing T . Let A be a non-uniform probabilistic 
polynomial time adversary that gets the input yj of each corrupted party pj and the auxiliary input aux. 
Let REAL n _4( aux ) (y , 1"), where y = (yi, . . . , y m ), be the random variable consisting of the view of the 
adversary (i.e., the inputs of the corrupted parties and the messages it got) and the output of the honest 
parties following an execution of 11. 

The Ideal Model. The basic ideal model we consider is a model without abort. Specifically, there is an 
adversary S which has corrupted a subset B of the parties. The adversary S has some auxiliary input aux. 
An ideal execution for the computing T proceeds as follows: 

Send inputs to trusted party: The honest parties send their inputs to the trusted party. The corrupted par- 
ties may either send their received input, or send some other input of the same length (i.e., xj G X n ) 
to the trusted party, or abort (by sending a special " abort/' message). Denote by Xj, . . . , x m the in- 
puts received by the trusted party. If pj does not send an input, then the trusted party selects Xj G X n 
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with uniform distribution!^] 

Trusted party sends outputs: The trusted party computes f n (x\, . . . , x m ) with uniformly random coins 
and sends the output to the parties. 

Outputs: The honest parties output the value sent by the trusted party, the corrupted parties output noth- 
ing, and S outputs any arbitrary (probabilistic polynomial-time computable) function of its view (its 
inputs, the output, and the auxiliary input aux). 

Let IDEAL jr5( aux ) (y, l n ) be the random variable consisting of the output of the adversary S in this 
ideal world execution and the output of the honest parties in the execution. 



2.1.1 1 /p-Indistinguishability and 1/p-Secure Computation 

As explained in the introduction, some ideal functionalities for computing T cannot be implemented when 
there is no honest majority. We use 1/p-secure computation, denned by [22], to capture the divergence from 
the ideal worlds. 

Definition 2.1 (1/p-indistinguishability) A function fi(-) is negligible if for every positive polynomial q(-) 
and all sufficiently large n it holds that /u(n) < l/q(n). A distribution ensemble X = {A a n } ag ^-, neN 
is an infinite sequence of random variables indexed by a £ T> n and n 6 N, where T> n is a domain that 
might depend on n. For a fixed function p(n), two distribution ensembles X = {A a n } ae x> n ,nGN and 

Up 

Y = \ Y a ,n\a&v n ,n<m are computationally 1/p-indistinguishable, denoted X w Y , if for every non-uniform 
polynomial-time algorithm D there exists a negligible function p(-) such that for every n and every a € T> n , 

Pr[£>(X a , n ) = 1] - Pr[ J D(y a , n ) = 1] < -L + M („). 

p(n) 
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Two distribution ensembles are computationally indistinguishable, denoted X = Y, if for every c G N they 
are computationally -indistinguishable. 

We next define the notion of 1/p-secure computation |[22l . The definition uses the standard real/ideal 
paradigm |[T5l [8l, except that we consider a completely fair ideal model (as typically considered in the setting 
of honest majority), and require only 1/p-indistinguishability rather than indistinguishability. 

Definition 2.2 (1 /p-secure computation ||22~1 ) Let p = p(n) be a function. An m-party protocol II is said 
to 1/p-securely compute a functionality T where there are at most t(n) corrupt parties, if for every non- 
uniform probabilistic polynomial-time adversary A in the real model controlling at most t(n) parties, there 
exists a non-uniform probabilistic polynomial-time adversary S in the ideal model, controlling the same 
parties as A, such that the following two distribution ensembles are computationally 1 / p-indistinguishable 

{lDEAL^ i<s(aux) (y, l n )} auxe{0iir ^ e(Xn)mineN » {REAL n ^ (aux) (y, O} auxe{0il} . ^ e(Xn )™ n G N ■ 

We next define statistical distance between two random variables and the notion of perfect 1/p-secure 
computation, which implies the notion of 1/p-secure computation. 



3 For the simplicity of the presentation of our protocols, we present a slightly different ideal world than the traditional one. In 
our model there is no a default input in case of an "abort". However, the protocol can be presented in the traditional model, where 
a predefined default input is used if a party aborts. 
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Definition 2.3 (statistical distance) We define the statistical distance between two random variables A and 
B as the function 

SD {A,B) = -Y\ Pr[^4 = a] - Pr[B = a] . 

a 

Definition 2.4 (perfect 1 /p-secure computation) An m-party protocol U is said to perfectly 1 /p-secure 
compute a functionality T if for every non-uniform adversary A in the real model, there exists a polynomial- 
time adversary S in the ideal model such that for every n € N, for every y € (X n ) m , and for every 
aux G {0, 1}* 

SD (lDEAL^ 5(aux) (y, l"),REAL n ^ (aux) (y, l n )) < -^y. 

Security with abort and cheat detection is defined in Appendix lAl The cryptographic tools we use are 
described in Appendix |Bj 



3 The Multiparty Secure Protocols 

In this section we present our protocols. We start with a protocol that assumes that either the functionality is 
deterministic and the size of the domain is polynomial, or that the functionality is randomized and both the 
domain and range of the functionality are polynomial. We then present a modification of the protocol that is 
1 /p-secure for (possibly randomized) functionalities if the size of the range is polynomial (even if the size 
of the domain of T is not polynomial). The first protocol is more efficient for deterministic functionalities 
with polynomial-size domain. Furthermore, the first protocol has full correctness, while in the modified 
protocol, correctness is only guaranteed with probability 1 — 1/p. 
Formally, we prove the following two theorems. 

Theorem 1 Let T = {f n : (X n ) m — > Z n } be randomized functionality where the size of domain is d(n) 
and the size of the range is g(n), and let p(n) be a polynomial. If enhanced trap-door permutations ex- 
ist, then for any m and t such that m/2 < t < 2m/3, and for any polynomial p{n) there is an r(n)- 
round m-party \ / p{n)- secure protocol computing J- tolerating up to t corrupt parties where r(n) = 
p(n) ■ (2 • d(n) m ■ g(n) ■ p(n)) , provided that r(n) is bounded by a polynomial in n. If T is deterministic, 
then there is a r(n)-round 1 /p(n)-secure protocol for r(n) = p(n) ■ d(n) m ' 2 , provided that r(n) is bounded 
by a polynomial in n. 

Theorem 2 Let T = {f n : {X n ) m — > Z n } be randomized functionality where the size of the range g{n) is 
polynomial in n and m is constant, and let p{n) be a polynomial. If enhanced trap-door permutations exist, 
then for t such that m/2 < t < 2m/3 and for any polynomial p{n) there is an r{n)-round m-party 1 /p{n)- 

secure protocol computing T tolerating up to t corrupt parties where r(n) = ^(2p(?7,)) 2 * +1 • g(n) 2t ^j. 

Following 11241 141. we present the first protocol in two stages. We first describe in Section [37X1 a protocol 
with a dealer and then in Section 13.21 present a protocol without this dealer. The goal of presenting the 
protocol in two stages is to simplify the understanding of the protocol and to enable to prove the protocol in 
a modular way. In Section [331 we present a modification of the protocol which is 1/p-secure if the size of 
the range is polynomial (even if the size of the domain of / is not polynomial). 
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3.1 The Protocol for Polynomial- Size Domain with a Dealer 

We consider a network with m parties where at most t of them are corrupt such that m/2 < t < 2m/3. In 
this section we assume that there is a special trusted on-line dealer, denoted T. This dealer interacts with the 
parties in rounds, sending messages on private channels. We assume that the dealer knows the set of corrupt 
parties. In Section [3^2] we show how to remove this dealer and construct a protocol without a dealer. 

In our protocol the dealer sends in each round values to subsets of parties; the protocol proceeds with the 
normal execution as long as at least t + 1 of the parties are still active. If at some round i, there are at most t 
active parties, then the active parties reconstruct the value given to them in round i — 1, output this value, and 
halt. Following |[24l . and its follow up works Il22l l4ll. the dealer chooses at random with uniform distribution 
a special round i*. Prior to this round the adversary gets no information and if the corrupt parties abort the 
execution prior to i*, then they cannot bias the output of the honest parties or cause any harm. After round 
i* , the output of the protocol is fixed, and, also in this case the adversary cannot affect the output of the 
honest parties. The adversary cause harm only if it guesses i* and this happens with small probability. 

We next give a verbal description of the protocol. This protocol is designed such that the dealer can be 
removed from it in Section [3^21 A formal description is given in Figure [TJ At the beginning of the protocol 
each party sends its input yj to the dealer. The corrupted parties may send any values of their choice. Let 
x\, . . . , x m denote the inputs received by the dealer. If a corrupt party pj does not send its input, then the 
dealer sets Xj to be a random value selected uniformly from X n . In a preprocessing phase, the dealer T 
selects uniformly at random a special round i* G [r]. The dealer computes w f n (xi, . . ■ , x m ). Then, for 
every round 1 < i < r and every J C {1, . . . , m} such that m — t < | J\ < t, the dealer selects an output, 
denoted a\, as follows (this output is returned by the parties in Q j = {pj : j G J} if the protocol terminates 
in round i + 1 and Qj is the set of the active parties): 

CASE T. 1 < i < i*. For every j G J the dealer sets xj = xj and for every j '• J it chooses Xj indepen- 
dently with uniform distribution from the domain X n ; it computes the output Oj ^— f n {x\, . . . , x m ). 

CASE II: i* <i <r. The dealer sets a l j = w. 

The dealer T interacts with the parties in rounds, where in round i, for 1 < i < r, there are of three 
phases: 

The peeking phase. The dealer sends to the adversary all the values cij such that all parties in Q j are 
corrupted. 

The abort and premature termination phase. The adversary sends to T the identities of the parties that 
abort in the current round. If there are less than t + 1 active parties, then T sends a l J~ to the active 
parties, where Qj is the set of the active parties when parties can also abort during this phase (see 
exact details in Figure [T]). The honest parties return this output and halt. 

The main phase. If at least t + 1 parties are active, T notifies the active parties that the protocol proceeds 
normally. 

If after r rounds, there are at least t + 1 active parties, T sends w to all active parties and the honest parties 
output this value. 

Example 3.1 As an example, assume that m = 5 and t = 3. In this case the dealer computes a value o~j 
for every set of size 2 or 3. Consider an execution of the protocol where p\ aborts in round 4 and p^ and p^ 
abort in round 100. In this case, T sends k\ to pi and p^, which return this output. 
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Inputs: Each party pj holds a private input yj € X n and the joint input: the security parameter l n , 
the number of rounds r = r(n), and a bound t on the number of corrupted parties. 

Instructions for each honest party pj\ (1) After receiving the "start" message, send input 
yj to the dealer. (2) If the premature termination step is executed with i = 1, then send 
its input yj to the dealer. (3) Upon receiving output z from the dealer, output z. (Honest 
parties do not send any other messages throughout the protocol.) 

Instructions for the (trusted) dealer: 

The preprocessing phase: 

1. Set Dq = and send a "start " message to all parties. 

2. Receive an input, denoted Xj, from each party pj. For every pj that sends an 
" abort/' message, notify all parties that party pj aborted, select xj € X n with 
uniform distribution, and update Dq = Dq U {j}. 

3. Let D = Dq. If \D\ > m — t, go to premature termination with i = 1. 

4. Set w <— f n (xi, . . . , x m ) and select i* 6 {1, . . . , r} with uniform distribution. 

5. For each 1 < i < i*, for each J C [m] \ Dq s.t. m — t < \J\ < t: for each 
j £ J set xj = Xj, for each j £ J select uniformly at random Xj £ X n , and set 

6. For each i* < i < r and for each J C [m] \ I?o s -t- m — t < \J\ < t, set Oj = 

7. Send "proceed" to all parties. 

Interaction rounds: In each round 1 < i < r, interact with the parties in three phases: 

• The peeking phase: For each J C [m] \ Do s.t. m — t < \ J\ < t, if Qj contains 
only corrupt parties, send the value <7j to all parties in Qj. 

• The abort phase: Upon receiving an "abort/' message from a party pj, notify 
all parties that party pj aborted (ignore all other types of messages) and update D = 
D U {j}. If \D\ > m — t, go to premature termination step. 

• The main phase: Send "proceed" to all parties. 
Premature termination step: 

• If i = 1, then: Receive an input, denoted x/, from each active party pj. For every 
party pj that sends an " abort/' message, update D = D U {j} and select Xj 6 X n 
with uniform distribution. Set w' <— / n (^i', ■ ■ ■ , x m '). 

• Else, if i > 1, then: For each "abort/' message received from a party pj, update 
D = D U {j}. Set w' = a)' 1 for J = [m] \ D. 

• Send w' to each party pj s.t. j Dq and halt. 

Normal termination: If the last round of the protocol is completed, send w to to each party pj 
s-t. jjDo. 

Figure 1: Protocol MPCWithD r . 
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The formal proof of the 1/p-security of the protocol appears in Appendix O We next hint why for 
deterministic functionalities, any adversary can cause harm in the above protocol by at most 0(d°^ 1 ' /r), 
where d = d(n) is the size of the domain of the inputs and the number of parties, i.e., m, is constant. As in 
the protocols of Il24ll22l l4l. the adversary can only cause harm by causing the protocol to terminate in round 
i*. In our protocol, if in some round there are two values Oj and gK, that the adversary can obtain such that 
a j a j,, then the adversary can deduce that i < i*. Furthermore, the adversary might have some auxiliary 
information on the inputs of the honest parties, thus, the adversary might be able to deduce that a round is 
not i* even if all the values that it gets are equal. However, there are less than 2* values that the adversary 
can obtain in each round (i.e., the values of subsets of the t corrupt parties of size at least m — t). We will 
show that for a round i such that i < i*, the probability that all these values are equal to a fixed value is 
l/d°^ for a deterministic function /„ (for a randomized functionality this probability also depends on the 
size of the range). By (22, Lemma 2], the protocol is d°^ /r-secure. 

3.2 Eliminating the Dealer of the Protocol 

We eliminate the trusted on-line dealer in a few steps using a few layers of secret-sharing schemes. First, 
we change the on-line dealer, so that, in each round i, it shares the value a'j of each subset Qj among 
the parties of Qj using a | J|-out-of-| J| secret-sharing scheme - called inner secret-sharing scheme. As 
in Protocol MPCWithD r described in Figure [TJ the adversary is able to obtain information on Oj only if 
it controls all the parties in Qj. On the other hand, the honest parties can reconstruct ay 1 (without the 
dealer), where Q j is the set of active parties containing the honest parties. In the reconstruction, if an active 
(corrupt) party does not give its share, then it is removed from the set of active parties Qj. This is possible 
since in the case of a premature termination an honest majority among the active parties is guaranteed (as 
further explained below). 

Next, we convert the on-line dealer to an off-line dealer. That is, we construct a protocol in which the 
dealer sends only one message to each party in an initialization stage; the parties interact in rounds using a 
broadcast channel (without the dealer) and in each round i each party learns its shares of the ith round inner 
secret-sharing schemes. In each round i, each party pj learns a share of <7j in a |J|-out-of-| J| secret-sharing 
scheme, for every set Qj such that j £ J and m — t < \ J\ < t (that is, it learns the share of the inner 
scheme). For this purpose, the dealer computes, in a preprocessing phase, the appropriate shares for the 
inner secret-sharing scheme. For each round, the shares of each party pj are then shared in a 2-out-of-2 
secret-sharing scheme, where pj gets one of the two shares (this share is a mask, enabling pj to privately 
reconstruct its shares of the appropriate a'j although messages are sent on a broadcast channel). All other 
parties get shares in a t-out-of-(m — 1) Shamir secret-sharing scheme of the other share of the 2-out-of-2 
secret-sharing. See Construction IB . 1 1 for a formal description. We call the resulting secret-sharing scheme 
the outer scheme. 

To prevent corrupt parties from cheating, by say, sending false shares and causing reconstruction of 
wrong secrets, every message that a party should send during the execution of the protocol is signed in the 
preprocessing phase (together with the appropriate round number and with the party's index). In addition, 
the dealer sends a verification key to each of the parties. To conclude, the off-line dealer gives each party the 
signed shares for the outer secret sharing scheme together with the verification key. A formal description of 
the functionality of the off-line dealer, called Functionality MultiShareGen, is given in Figure [2] 

The protocol with the off-line dealer proceeds in rounds. In round i of the protocol all parties broadcast 
their (signed) shares in the outer (t + l)-out-of-m secret-sharing scheme. Thereafter, each party can unmask 
the message it receives (with its share in the appropriate 2-out-of-2 secret-sharing scheme) to obtain its 
shares in the | J|-out-of-| J| inner secret-sharing of the values Oj (for the appropriate sets Qj's to which the 
party belongs). If a party stops broadcasting messages or broadcasts improperly signs messages, then all 
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Joint input: The security parameter l n , the number of rounds in the protocol r = r(n), a 
bound t on the number of corrupted parties, and the set of indices of aborted parties Dq. 

Private input: Each party pj, where j ^ Dq, has an input Xj G X n . 

Computing default values and signing keys 

1. For every j G Dq, select Xj with uniform distribution from X n . 

2. Select i* G [r] with uniform distribution and compute w <— f n (x\, . . . , x m ). 

3. For each 1 < i < i*, for each J C [m] \ Dq s.t. m — t < \ J\ < t, 

(a) For each j G J, set Xj = xj. 

(b) For each j J, select uniformly at random Xj G X n . 

(c) Set<r} <- f n (xi, ■ ■ ■ j x m ). 

4. For each i* < i < r and for each J C [m] \ Dq s.t. m — t < \J\ < t, set <Tj = w. 

5. Compute (K s - lgn , K vcr ) <— Gen(l n ). 

Computing signed shares of the inner secret-sharing scheme 

6. For each i G {1, . . . , r} and for each J C [m] \ Dq s.t. m — t < \ J\ < t, 

(a) Create shares of Oj in a | J|-out-of-| J\ secret-sharing scheme for the parties in Qj. 
For each party pj 6 Q j, let S l - J be its share of Oj. 

(b) Sign each share S 1 ]" 7 : compute J?V ^- (S']' J , i, J, j, Sign((5^-' , i, J, j), K sign )). 
Computing shares of the outer secret-sharing scheme 

7. For each % € [r], for each J C [m] \ Dq s.t. m — t < \J\ < t, and each j € J, 
share R l - J using a (i + l)-out-of-m secret-sharing scheme with respect to pj as defined 
in Construction IB. II compute one masking share maskj(i?*' ) and m — 1 complement 
shares (comp 1 (^.' J ), . . . , comp i _ 1 (i?*' J ), comp i+1 (i?*' J ), . . . , comp m (i?*' J )). 

Signing the messages of all parties 

8. For every 1 < q < m, compute the message m q ^ that p q G P broadcasts in round i by 
concatenating (1) q, (2) i, and (3) the complement shares comp^i?*'' 7 ) produced in Step © 
for p q (for all J C [m] \ Dq s.t. m — t < \J\ < t and all j ^ q s.t. j G J), and compute 

<- (m 9)i , Sign(m 9ii , K s i g n))- 

Outputs: Each party such that j ^ Z?o receives 

• The verification key K veT . 

• The messages Mj t \, . . . , Mj r that pj broadcasts during the protocol. 

• pfs private masks maskj(i?*'' 7 ) produced in Step ©, for each 1 < i < r and each 
J C [m] \ Dq s.t. m - t < \ J\ < t and j G J. 

Figure 2: The initialization functionality MultiShareGen r . 
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other parties consider it as aborted. If m — t or more parties abort, the remaining parties reconstruct the 
value of the set that contains all of them, i.e., cry 1 . In the special case of premature termination already 
in the first round, the remaining active parties engage in a fully secure protocol (with honest majority) to 
compute f n . 

The use of the outer secret-sharing scheme with threshold t + 1 plays a crucial role in eliminating the on- 
line dealer. On the one hand, it guarantees that an adversary, corrupting at most t parties, cannot reconstruct 
the shares of round i before round i. On the other hand, at least m — t parties must abort to prevent the 
reconstruction of the outer secret-sharing scheme (this is why we cannot proceed after m—t parties aborted). 
Furthermore, since t < 2m / 3, when at least m — t corrupt parties aborted, there is an honest majority. To 
see this, assume that at least m — t corrupt parties aborted. Thus, at most t — (m — t) = 2t — m corrupt 
parties are active. There are m — t honest parties (which are obviously active), therefore, as 2t — m < m — t 
(since t < 2m/ 3), an honest majority is achieved when m — t parties abort. In this case we can execute a 
protocol with full security for the reconstruction. 

Finally, we replace the off-line dealer by using a secure-with-abort and cheat-detection protocol comput- 
ing the functionality computed by the dealer, that is, Functionality MultiShareGen r . Obtaining the outputs 
of this computation, an adversary is unable to infer any information regarding the input of honest parties or 
the output of the protocol (since it gets t shares of a (t + l)-out-of-m secret-sharing scheme). The adversary, 
however, can prevent the execution, at the price of at least one corrupt party being detected cheating by all 
other parties. In such an event, the remaining parties will start over without the detected cheating party. 
This goes on either until the protocol succeeds or there is an honest majority and a fully secure protocol 
computing /„ is executed. 

A formal description of the protocol appears in Figure [3] The reconstruction functionality used in this 
protocol (when at least m — t parties aborted) appears in Figure 0] The details of how to construct a protocol 
secure-with-abort and cheat-detection with 0(1) rounds are given in H. 

Comparison with the multiparty coin-tossing protocol of 0J. Our protocol combines ideas from the 
protocols of l22l l4ll. However, there are some important differences between our protocol and the protocol 
of H. In the coin-tossing protocol of JU, the bits Oj are shared using a threshold scheme where the 
threshold is smaller than the size of the set Qj. This means that a proper subset of Qj containing corrupt 
parties can reconstruct a l j. In coin-tossing this is not a problem since there are no inputs. However, when 
computing functionalities with inputs, such <jj might reveal information on the inputs of honest parties in 
Qj, and we share a l j with threshold \Qj\. As a result, we use more sets Qj than in (4) and the bias of the 
protocol is increased (put differently, to keep the same security, we need to increase the number of rounds 
in the protocol). For example, the protocol of [4] has small bias when there are polynomially many parties 
and t = m/2. Our protocol is efficient only when there are constant number of parties. As explained in 
Sectional this difference is inherent as a protocol for general functionalities with polynomially many parties 
and t = m/2 cannot have a small bias. 

3.3 A 1 /p-Secure Protocol for Polynomial Range 

Using an idea of |[22l . we modify our protocol such that it will have a small bias when the size of the range of 
the functionality T is polynomially bounded (even if T is randomized and has a big domain of inputs). The 
only modification is the way that each Oj is chosen prior to round i*: with probability 1 / (2p) we choose Oj 
as a random value in the range of f n and with probability 1 — 1/ (2p) we choose it as in Figure |2l Formally, 
in the model with the dealer, in the preprocessing phase of MPCWithD r described in Figure [Q we replace 
Step © with the following step: 

• For each % 6 {1, . . . ,i* — 1} and for each J C [m] \ Dq s.t. m — t < \ J\ < t, 
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Inputs: Each party pj holds the private input yj G X n and the joint input: the security 
parameter l n , the number of rounds in the protocol r = r(n), and a bound t on the number 
of coiTupted parties. 

Preliminary phase: 

1. D = 

2. If \D Q \ <m-t, 

(a) The parties in {pj : j G [m] \ Dq} execute a secure- with-abort and cheat-detection 
protocol computing Functionality MultiShareGen r . Each honest party pj inputs yj 
as its input for the functionality. 

(b) If a party pj aborts, that is, the output of the honest parties is " abort/', then, set 
Dq = Do U {j}, chose xj uniformly at random from Xj, and goto Step (0. 

(c) Else (no party has aborted), denote D = D and proceed to the first round. 

3. Otherwise (|Do| > "m — t), the premature termination is executed with i = 1. 
In each round i = 1, . . . , r do: 

4. Each party pj broadcasts Mj^ (containing its shares in the outer secret-sharing scheme). 

5. For every pj s.t. Ver(Mjj, K vcr ) = or if pj broadcasts an invalid or no message, then all 
parties markpj as inactive, i.e., set D = D U {j}. If \D\ > m — t, premature termination 
is executed. 

Premature termination step 

6. If i = 1, the active parties use a multiparty secure protocol (with full security) to compute 
f n : Each honest party inputs yj and the input of each inactive party is chosen uniformly at 
random from X n . The active parties output the result, and halt. 

7. Otherwise, 

(a) Each party pj reconstructs i?*. -1 ' , the signed share of the inner secret-sharing scheme 
produced in Step © of Functionality MultiShareGen r , for each J C [m] \ Dq s.t. 
m — t < \J\ < t and j G J. 

(b) The active parties execute a secure multiparty protocol with an honest majority to 
compute Functionality Reconstruction, where the input of each party pj is R l f 1,J 
for every J C [m] \ Do s.t. m — t < \ J\ < t and j G J. 

(c) The active parties output the output of this protocol, and halt. 
At the end of round r: 

r J 

8. Each active party pj broadcasts the signed shares it for each J such that j G J. 

9. Let J C [m] \ D be the lexicographical first set such that all the parties in Qj broadcast 
properly signed shares R T j J . Each active party reconstructs the value <jj, outputs cr}, and 
halts. 

Figure 3: The m-party protocol MPC r for computing T. 
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Joint Input: The round number i, the indices of inactive parties D, a bound t on the number of 
coiTupted parties, and the verification key, K veT . 

Private Input of py. A set of signed shares R l ~ 1,J for each J C [m] \ D s.t. m — t < \ J\ < t 
and j € J. 

Computation: 

1. For each pj, if pfs input is not appropriately signed or malformed, then D = DL){j}. 

2. Set J = [m] \ D. 

3. Reconstruct Uj" 1 from the shares of all the parties in Qj. 
Outputs: All parties receive the value a % f x (as their output). 

Figure 4: Functionality Reconstruction for reconstructing the output in the premature termination step. 

- with probability l/(2p), select uniformly at random z'j € Z n and set &j = Zj. 

- with the remaining probability 1 — l/(2p), 

1. For every j J select uniformly at random Xj € X n and for each j € J, set Xj = Xj. 

2. Compute a l j <r- /„(zi, . . . , x m ). 

Similarly, in the protocol without the dealer, Protocol MPC r , we replace Step Q in MultiShareGen r 
(described in Figure [2]) with the above step. Denote the resulting protocols with and without the dealer 
models by MPCWithDForRange and MPCForRange r , respectively. 

The idea why this change improves the protocol is that now the probability that all values held by the 
adversary are equal prior to round i* is bigger, thus, the probability that the adversary guesses i* is smaller. 
This modification, however, can cause the honest parties to output a value that is not possible given their 
inputs, and, in general, we cannot simulate the case (which happens with probability l/(2p)) when the 
output is chosen with uniform distribution from the range. 

4 Impossibility of l/p-secure Computation with Non- Constant Number of 
Parties 

For deterministic functions, our protocol is efficient when the number of parties m is constant and the size of 
the domain or range is polynomial (in the security parameter n) or when the number of parties is 0(log log re) 
and the size of the domain is constant. We next show that, in general, there is no efficient protocol when the 
number of parties is m(n) = oj(1) and the size of the domain is polynomial and when m(n) = w(logre) 
and the size of the domain of each party is 2. This is done using the following impossibility result of Gordon 
and Katz ll22l . 

Theorem 3 ( Il22l0 For every £(n) = w(logn), there exists a deterministic 2-party functionality T with 
domain and range {0, l}^™* 1 that cannot be 1/p-securely computed for p > 2 + 1/ poly(n). 

We next state and prove our impossibility results. 

Theorem 4 For every rei(n) = w(logre), there exists a deterministic m(n) -party functionality T' with 
domain {0, 1} that cannot he 1/p-securely computed for p > 2 + 1/ poly(re) without an honest majority. 
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Proof: Let £{n) = m(n)/2 (for simplicity, assume m(n) is even). Let T = {f n } n& ^ be the functionality 
guaranteed in Theorem[3]for £{n). Define an m(n)-party deterministic functionality T' = {f n } n€ ^, where 
in f' n party pj gets the jth bit of the inputs of /„ and the outputs of f n and f' n are equal Assume that T' 
can be 1/p-securely computed by a protocol II' assuming that t(n) = m(n)/2 parties can be corrupted. 
This implies a 1/p-secure protocol II for T with two parties, where the first party simulates the first t(n) 
parties in II' and the second party simulates the last t(n) parties. The 1/p-security of II is implied by the 
fact that any adversary A for the protocol II can be transformed into an adversary A' for IT' controlling 
m(n)/2 = t(n) parties; as A' cannot violate the 1/p-security of II', the adversary A cannot violate the 
1/p-security of II. □ 

Theorem 5 For every m{n) = w(l), there exists a deterministic m(n) -party functionality T" with domain 
{0, 1} ogn that cannot he 1/p-securely computed for p > 2 + 1/ poly(n) without an honest majority. 

Proof: Let £{m) = 0.5m(n) log n and let T = {f n } n ^ be the functionality guaranteed in Theorem[3]for 
£(m). We divide the 2£{n) bits of the inputs of f n into m(n) blocks of length log n. Define an m(n)-party 
deterministic functionality T" = { /nineN' wnere in f" party pj gets the jth block of the inputs of f n and 
the outputs of f n and f" are equal. As in the proof of Theorem |4j a 1/p-secure protocol for T" implies a 
1/p-secure protocol for T contradicting Theorem [3] □ 

The above impossibility results should be contrasted with the coin-tossing protocol of Q which is 
an efficient 1/p-secure protocol even when m is polynomial in the security parameter and the number of 
bad parties is m(n)/2 + 0(1). Notice that in both our impossibility results the size of the range is super- 
polynomial (as we consider the model where all parties get the same output). It is open if there is an efficient 
1/p-secure protocol when the number of parties is not constant and the size of both the domain and range is 
polynomial. 
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A Security with Abort and Cheat Detection 

We next present a definition of secure multiparty computation that is more stringent than standard definitions 
of secure computation with abort. This definition extends the definition for secure computation as given by 
Aumann and Lindell H). Roughly speaking, the definition requires that one of two events is possible: (1) 
The protocol terminates normally, and all parties receive their outputs, or (2) Corrupted parties deviate from 
the prescribed protocol; in this case the adversary obtains the outputs of the corrupted parties (but nothing 
else), and all honest parties are given an identity of one party that has aborted. The formal definition uses 
the real vs. ideal paradigm as discussed in Section |2~T1 We next describe the appropriate ideal model. 

Execution in the ideal model. Let B C [m] denote the set of indices of corrupted parties controlled by 
an adversary A. The adversary A receives an auxiliary input denoted aux. An ideal execution proceeds as 
follows: 

Send inputs to trusted party: The honest parties send their inputs to the trusted party. The corrupted 
parties may either send their received input, or send some other input of the same length (i.e., xj 6 
X n ) to the trusted party, or abort (by sending a special " abort/' message). Denote by x\, . . . , x m 
the inputs received by the trusted party. If the trusted party receives an "abort/' message, then it 
sends " abort/' to all honest parties and terminates (if it received " abort /' from more than one j, 
then it uses the minimal such j). 

Trusted party sends outputs to adversary: The trusted party computes w <— f n {%i, • • • , %m) and sends 
the output w to the adversary. 

Adversary instructs the trusted party to continue or halt: A sends either a " continue" message or 
"abort/' to the trusted party for some corrupt party pj, i.e., j € B. If it sends a "continue" 
message, the trusted party sends w to all honest parties. Otherwise, if the adversary sends " abort/', 
then the trusted party sends " abort/' to all honest parties. 

Outputs: An honest party always outputs the value w it obtained from the trusted party. The corrupted 
parties output nothing. The adversary A outputs any (probabilistic polynomial-time computable) 
function of the auxiliary input aux, the inputs of the corrupt parties, and the value w obtained from 
the trusted party. 
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We let IDEAL^° (aux) (y, l n ) and REAL U A{aux) (y, 1") be denned as in Section O (where in this 



a _L symbol. This means that the honest parties know an identity of a corrupted party that causes the abort. 
This cheat-detection is achieved by most multiparty protocols, including that of lfT6l . but not all (e.g., the 
protocol of |[T8l does not meet this requirement). Using this notation we define secure computation with 
abort and cheat-detection. 

Definition A.l (security-with-abort and cheat-detection) Let F and II be as in DeHnition \2.2\ A protocol 
His said to securely c omp uteT against at most t(n) corrupt parties with abort and cheat-detection if 
for every non-uniform polynomial-time adversary A in the real model controlling at most t(n) parties, there 
exists a non-uniform polynomial-time adversary S in the ideal model controlling the same parties, such that 



B Cryptographic Tools 

Signature Schemes. Informally, a signature on a message proves that the message was created by its 
presumed sender, and its content was not altered. A signature scheme is a triple (Gen, Sign, Ver) containing 
the key generation algorithm Gen, which outputs a pair of keys, the signing key K$ and the verification key 
K v , the signing algorithm Sign, and the verifying algorithm Ver. We assume that it is infeasible to produce 
signatures without holding the signing key. For formal definition see lfl31 . 

Secret Sharing Schemes. An a-out-of-m secret-sharing scheme is a mechanism for sharing data among 
a set of parties such that every set of size a can reconstruct the secret, while any smaller set knows nothing 
about the secret. In this paper, we use two schemes: the XOR-based m-out-of-m scheme (i.e., in this scheme 
a = m) and Shamir's a-out-of-m secret-sharing scheme |[26l which is used when a < m. In both schemes, 
for every a — I parties, the shares of these parties are uniformly distributed and independent of the secret. 
Furthermore, given such a — 1 shares and a secret s, one can efficiently complete them to m shares of the 
secret s. 

In our protocols we sometimes require that a single party learns the value of a secret that is shared 
among all parties. Since all messages are sent over a broadcast channel, we use two layers of secret sharing 
to obtain the above requirements as described below. 

Construction B.l (secret sharing with respect to a certain party) Let sbe a secret taken from some finite 
field F. We share s among m parties with respect to a (special) party pj in an a-out-of-m secret-sharing 
scheme as follows: 

1. Choose shares (sW,s^) of the secret s in a two-out-of-two secret-sharing scheme (that is, select 

G F uniformly at random and compute = s — s^). Denote these shares by mask, (s) and 
comp(s), respectively. 

2. Compute shares (A^ 1 -* , . . . , ^ , A^ +1 - ) , . . . , \( m ^ ) of the secret comp(s) in an (a — l)-out-of-(m — 
1) Shamir's secret-sharing scheme. For each I / j, denote compos) = A^. 




auxG{0,l}*,J/e(X„) m ,neN ' 



Output: 



• The share of party pj is maskj(s). We call this share "pj 's masking share". 
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• The share of each party pi, where I 7^ j, is compos). We call this share "pe's complement share". 

In the above scheme, we share the secret s among the parties in P in an a-out-of-m secret-sharing scheme 
where only sets of size a that contain pj can reconstruct the secret. In this construction, for every j3 < a 
parties, the shares of these parties are uniformly distributed and independent of the secret. Furthermore, 
given such j3 < a shares and a secret s, one can efficiently complete them to m shares of the secret s. In 
addition, given ft shares and a secret s, one can efficiently select uniformly at random a vector of shares 
competing the j3 shares to m shares of s. 

C Proof of 1 /p-Security of the Protocols with a Dealer 

In this section we prove that our protocols described in Section [3] that assume an trusted dealer are perfect 
1 / poly-secure implementations of the ideal functionality F. We start by presenting in Appendix IC.ll a 
simulator for Protocol MPCWithD r . In Appendix IC.2L we prove the correctness of the simulation by 
showing the the global output in the ideal-world is distributed within 1 / poly statistical distance from the 
global output in the real-world. In Appendix IC.3I we describe the required modifications to the simulator 
for the protocol for T that has a polynomial-size range, and argue that the modified simulation is correct. 

C.l The Simulator for Protocol MPCWithD r 

We next present a simulator St for Protocol MPCWithD r , described in Figure Q] Let B be the set of 
indices of corrupted parties in the execution. 

The simulator St invokes A on the set of inputs {yj : j £ B}, the security parameter l n , and the auxil- 
iary input aux, playing the role of the trusted dealer in the interaction with A. 

Simulating the preprocessing phase: 

1. D = 0. 

2. The simulator St sends a "start " message to all corrupt parties. 

3. St receives a set of inputs {xj : j £ B} that A submits to the computation of the dealer. If 
A does not submit an input on behalf of pj, i.e., A sends an " abort/' message, then, the 
simulator St notifies all corrupted parties that party pj aborted and updates Dq = Dq U {j}. 

4. St sets D = Dq. If |D| > m — t, the simulator sets i = 1 and proceeds to simulate the 
premature termination step. 

5. St selects i* £ {1, . . . , r} with uniform distribution. 

6. For each i £ {1, . . . ,i* — 1} and for each J C B \ Dq s.t. m — t < \J\ < t do 

(a) For each j £ [m], if j £ J, then St sets Xj = Xj, else, St selects uniformly at random 
Xj £ X n . 

(b) S T sets a l j <- f n ( 

7. The simulator St sends "proceed" to all corrupt parties. 

Simulating interaction rounds: In each round 1 < i < r, the simulator St interacts in three phases with 
the parties {pj : j £ B \ Dq}, i.e., the corrupt parties which are active so far: 

• The peeking phase: 

- If i = i*, the simulator St sends the set of inputs {xj : j £ B \ Dq} to the trusted party 
computing T and receives ws- 
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- For each J C B \ Dq s.t. m — t < \ J\ < t do 

1. If i G {1, . . . , i* — 1}, the simulator St sends the value a'j (prepared in the simulation 
of the preprocessing phase) to all parties in Qj (i.e., to the adversary). 

2. Else, if i € {i*, . . . , r}, <St sends the value to all parties in Qj (i.e., to the adver- 
sary). 

• The abort phase: Upon receiving an " abort/' message from a party pj, 

1 . St notifies all corrupted parties that party pj aborted. 

2. S T updates D = D U {j}. 

3. If at least m — t parties have aborted so far, that is \D\ > m — t, the simulator St proceeds 
to simulate the premature termination step. 

• The main phase: St sends "proceed" to all corrupt parties. 
Simulating the premature termination step: 

• If the premature termination step occurred in round i = 1, 

- The simulator St receives a set of inputs {x/ : j 6 B\ D} that A submits to the compu- 
tation of the dealer. 

If A does not submit an input on behalf of pj, i.e., sends an " abort/' message, then, the 
simulator S notifies all corrupted parties that party pj aborted and updates D = D U {j}. 

- The simulator St sends the set of inputs {x/ : j G B \ D} to the dealer and receives ws- 

• If the premature termination step occurred in round 1 < i < %*, 

1. Upon receiving an "abort/' message from a party pj, the simulator St updates D = 
D U {j}. 

2. The simulator St sends the set of inputs {xj : j G B\ D} to the trusted party computing 
T and receives ws- 

• (o If the premature termination step occurred in round i* < i < r, then St already has ws o) 

• St sends the value w$ to each party in {pj : j £ B \ Dq}. 

Simulating normal termination: If the last round of the protocol is completed, then St sends ws to each 
party in {pj : j £ B \ D }. 

At the end of the interaction with A, the simulator will output the sequence of messages exchanged between 
the simulator and the corrupted parties. 

C.2 Proof of the Correctness of the Simulation for MPCWithD r 

In order to prove the correctness of the simulation described in Appendix lC.il we consider the two random 
variables from Section l2~Tl both of the form (V, C), where V describes a possible view of A, and C describes 
a possible output of the honest parties (i.e., C € Z n ). The first random variable REAL M p CWithDri ^4( aux ) {y, l n ) 
describes the real world - an execution of Protocol MPCWithD, where V describes the view of the adver- 
sary A in this execution, and C is the output of the honest parties in this execution. The second random vari- 
able IDEALjr5 T ( aux )(y, l n ) describes the ideal world - an execution with the trusted party computing F 
(this trusted party is denoted by Tjr), where V describes the output of the simulator St in this execution, and 
C is the output of the honest parties in this execution. For the rest of this section, we simplify notations and 
denote the above two random variables by REAL = (Vreal, Creal) and IDEAL = (Fideal, Cideal) 
respectively. 
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We consider the probability of a given pair (v, c) according to the two different random variables. We 
compare the two following probabilities: (1) The probability that v is the view of the adversary A in an 
execution of Protocol MPCWithD r and c is the output of the honest parties in this execution, where the 
probability is taken over the random coins of the dealer T. (2) The probability that v is the output of the 
simulator St in an ideal-world execution with the trusted party Xj- and c is the output of the honest parties 
in this execution, where the probability is taken over the random coins of the simulator St and the random 
coins of the ideal-world trusted party Tj. 

In Lemma |C31 we prove the correctness of the simulation by showing that the two random variables are 
within statistical distance 1/ poly. For the proof of the lemma we need the following claim from ll22l . 

Claim C.l fll22"l Lemma 2]) Let A be an adversary in Protocol MPCWithD r and let 
set of inputs. Assume that for every possible output w obtained by the dealer using this set of inputs the 
probability that in a round i < i* all the values that the adversary sees are equal to w is at least a. Then, 
the probability that A guesses i* (i.e., causes premature termination in round i*) is at most 1/ar. 

As the adversary might have some auxiliary information on the inputs of the honest parties and know 
the value of f n {x\, . . . , x m ), the adversary might be able to deduce that a round is not i* if not all the values 
that it gets are equal to this value (or a possible value for randomized functionalities). Specifically, in the 
worst case scenario, the adversary knows the inputs of all the honest parties. In the next claim we show a 
lower bound on the probability that all the values that the adversary obtains in a round i < i* of Protocol 
MPCWithD r are all equal to a fixed value. 

Claim C.2 Let d(n) and g(n) be the size of the domain and range, respectively, of a randomized function- 
ality T computed by the protocol MPCWithD r . Let ebe a number such that Pr[/ n (xi, . . . , x m ) = we] > e 
for every set of inputs x\, . . . , x m and for each wg from the range of f n ( x i, • • • , x m ). Then, the proba- 
bility that in a round i < i* all the values that the adversary sees are equal to a specific w is at least 
(e/d(n) m f-\ 

Furthermore, if J- is deterministic, then, this probability is at least (l/d(n) m ) 2 . 

Proof: We start with the case of a deterministic functionality JF. Recall that x\, . . . , x m are the inputs 
used by the dealer to obtain w = f n (x±, . . . , x m ) and o~j = w for each J C [m] s.t. m — t < \J\ < t. 
Let J be such that the adversary obtains Oj in round i < i*. Recall that x±, . . . , x m are the inputs used by 
the dealer to obtain a l j, that is, a l j = f n {xi, • • • , %), where Xj = Xj for each j £ J and Xj is selected 
uniformly at random from Xj for every j J. We bound the probability that a j = w by the probability that 
xj = Xj for all j $l J. The probability that 1/d. Therefore, the probability that both sets are the 

same is (l/d) rn -^ > (l/d) m . 

In each round of the protocol, A obtains the value <7j for each subset Qj s.t. J C [m] and m — t < 
\J\ < t, therefore, A obtains less than 2* values. For each such two values Oj and a l j, obtained by A 
in round i < i*, the sets of inputs {xj : j ^ J} and {xj : j ^ J'} are totally independent. Therefore, the 
probability that all the values that the adversary sees in round i < i* are equal to w = f n (x±, . . . , x m ) is at 
least (l/d™) 2 '" 1 . 

For randomized functionality J 7 , we think of the evaluation of f n (xi, . . . , x m ) as two steps: first Xj is 
randomly chosen from X n for every j $ J and then the randomized functionality is evaluated. Therefore, as 
A obtains less than 2* values in each round i < i*, that the probability that all the values that the adversary 
sees in each round i < i* are equal to the specific w is at least (l/d m ) 2 _1 ■ e 2 -1 . □ 

In the next lemma, we prove the correctness of the simulation by using the previous two lemmas. 
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Lemma C.3 Let T be a (possibly randomized) functionality, A be a non-uniform polynomial-time adver- 
sary corrupting t < 2m/ 3 parties in an execution of Protocol MPCWithD, and St be the simulator 
described in Appendix \C.1\ ( where St controls the same parties as A). Then, for every n G N, for every 
y € (X n ) m , and for every aux € {0, 1}* 

SD (REAL MPCWithDr)A(aux) (y, l"),IDEAL^ 5T(aux) (y, 1")) < 2g{n)d{n) m / (r(n)f , 

where d(n) and g(n) are the sizes of the range and the domain of T, respectively, and r(n) be the number 
of rounds in the protocol. 

Furthermore, if J- is deterministic, then, the statistical distance between these two random variables is 
at most (d(n) m ) 2 /r(n). 

Proof: Our goal here is to show that the statistical distance between the above two random variables is 
at most as described in lemma. The flow of our proof is as follows. We first bound the statistical distance 
between the two random variables by the probability that the adversary A guesses the special round i*. We 
do this by showing that, conditioned on the event that the adversary fails to guess round i* , the two random 
variables are identically distributed. Then, we bound the probability of guessing i* in time using Claim ICTl 
and Claim O 

Observe that, in the simulation, St follows the same instructions as the trusted party T in Protocol 
MPCWithD r , except for two changes. First, St does not compute the output ws, but rather gets ws 
externally from Tj. The simulator obtains this value either in the premature termination phase (if i < i*) or 
in the peeking stage when i = i*. The second difference is that in the case of a premature termination, St 
will always use ws as its message to the corrupt parties, while T will use the value from round i* — 1 of the 
appropriate subset Qj as its message. 

We analyze the probabilities of (v, c) in the two random variables according to weather the premature 
termination occurred before, during, or after the special round i*. 

Premature termination before round i*. We argue that in this case, both in the real protocol and in 
the simulation, the view of A is identically distributed in the two worlds. St follows the same random 
process in interacting with A (before sending the last message in the premature termination) as does T in 
the real-world execution. The view of the adversary consists of values which are outputs of evaluations of 
the function f n on the same input distributions. The adversary does not learn anything about the inputs of 
the honest parties, hence, its decision to abort does not depend on any new information it obtains during the 
interaction rounds so far. In addition, in both worlds, the output of the honest parties is the evaluation of 
the function f n on the same set of inputs for the active parties and uniformly selected random inputs for the 
aborted parties. 

Premature termination after round i* or never occurs. Here v must contain <jj for some J, which, 
in the real-world execution, is equal to the output value of all sets for any round i > i* (recall that the 
output value of the honest parties will be determined by one such value), and in the simulation it equals ws- 
Thus, in both scenarios, v must be consistent with i* and with c, hence, v completely determines C. Again, 
since St follows the same random process in interacting with A as does T in the real-world execution the 
probabilities are the same. 

Premature termination in round i*. This is the interesting case, which causes the statistical distance. In 
the real world, the output of the honest parties is a l j _1 for some J, while in the ideal world their output 
is ws fn(xi, . . . , x rn ). In the first case the output is independent of the adversary's view, while in the 
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second case, the view determines the output. Thus, in this case the probabilities of the views are different. 
However, we will show that the event of premature termination in round i* happens with small probability. 

Since the probabilities of (v, c) in the first two cases are equal, the statistical distance between the two 
random variables is bounded by the probability of the adversary guessing i* correctly (before the abort phase 
of round i*). That is, 

SD (IDEAL, REAL) < Pr [Premature termination in round i*] . (1) 

We next use Claim ICll and Claim IC2l to bound the probability that the adversary guesses i*. However, 
there might be values such that Pr[u> = f n (x\, . . . ,x m )] is small. Therefore, we consider two events 
of guessing i*, where pq is a parameter specified below. We call an output values w heavy if Pr[u> = 
f n (xi, x m )] > 1/ (po • 9), otherwise, we call w light. 

Case 1: The adversary guesses i* with some light w. Since there are at most g possible values of f n (xi, . . . , x m ), 
the probability of this event, by the union bound, is at most 1/po- 

Case 2: The adversary guesses i* with some heavy w. Thus, by Claim lC2l where e = po ■ g, the probability 
of w = a l j for all values that the adversary sees in round i < i* is at least (l/d m ■ po ■ g) 2 . By 
Claim ICTTl the probability that the adversary guesses i* conditioned on the w being heavy is at most 
((T-po-gf-i/r. 

We take po = r 2 /{g ■ d m ); the total probability that the adversary guesses i* in the two cases is at most 

(d m -p -gf- 1 1 g-d m 
r po r 2 

Therefore, by Equation £[]), the statistical distance between the two random variables in the randomized case 
is as claimed in the lemma. 

The case that T is deterministic is simpler. By combining Claim IC.ll and Claim IC.2I we get that the 
probability that A guesses i* is at most (r / d{n) m ) 2 -1 . By applying Equation (Q}, we get the bound on 
statistical distance between the two random variables for the deterministic case as claimed in the lemma. □ 



C.3 The Simulator for the Protocol with the Dealer for Polynomial Range 

Lemma C.4 Let T he a (possibly randomized) functionality. For every non-uniform polynomial-time ad- 
versary A corrupting t < 2m/3 parties in an execution of Protocol MPCWithDForRange, there exists a 
simulator St in the ideal model, that simulates the execution of A ( where St controls the same parties as 
A). That is, for every n € N, for every y £ (X n ) m , and for every aux G {0, 1}* 

SD (REAL MPCWithDri ^( aux )(y, l n ),IDEALjF ]5T ( aux )(y, 1™)) < - P ^ ^ ^ h 2p (- n ) ' 

where g{n) is the size of the range of J 7 , with probability 1 /(2p(n)) each value a l j in round i < i* is selected 
uniformly at random from the range, and r(n) be the number of rounds in the protocol. 

Proof: The simulators and their proofs for Protocol MPCWithDForRange and Protocol MPCWithD 
are similar; we only present (informally) the differences between the two simulators and the two proofs. 
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The modified simulator. Recall that the protocols MPCWithD and MPCWithDForRange are different 
only in Step © of the share generation step. In MPCWithDForRange, each value <jj prior to round i* 
is chosen with probability 1 / (2p) as a random value from the range of f n and with probability 1 — 1/ (2p) 
it is chosen just like in Figure Q] There are two modifications to the simulator. The first modification in 
the simulator is in Step © in the simulation of the preprocessing phase, i.e., in the computation of Oj for 
i < i*. The step that replaces Step © appears below. 

• For each i G {1, ...,£* — 1} and for each J C B \ Dq s.t. m — t < \J\ < t do 

1. with probability 1 / (2p), select uniformly at random Zj G Z n and set crj = Zj. 

2. with the remaining probability 1 — l/(2p), 

(a) For each j G [m], if j G J, then St sets xj = xj, else, St selects uniformly at random 
Xj G X n . 

(b) S T sets a l j <- f n ( X\ , . . . , x m ). 

The second modification is less obvious. Recall that both random variables appearing in the lemma contain 
the output of the honest parties. In the ideal world, the honest parties always output f n applied to their 
inputs. In the real world, in a premature termination in round i < i* , with probability l/(2p), the honest 
parties output a random value from the range of f n . It is hard to simulate the output of the honest parties in 
first casejj We simply modify the simulator such that with probability l/(2p) the simulator returns _L, i.e., 
it announces that the simulation has failed. The new premature termination step appears below. 

Simulating the premature termination step: 

• If the premature termination step occurred in round i < £*, 

- With probability l/(2p), for each j G B \ Dq send " abort/' to the trusted party comput- 
ing J 7 and return JL. 

- With the remaining probability 1 — 1/ (2p), execute the original simulation of the premature 
termination step (appearing in Appendix lC.il ). 

• Else (i > i*), execute the original simulation of the premature termination step (appearing in 
Appendix lC.il ). 

The modified proof. The proof to the simulator for MPCWithDForRange remains basically the same, 
except for two changes. We first modify Claim lC2l below and prove a slightly different claim, which changes 
the probability of the adversary guessing i*. 

Claim C.5 Let g(n) be the size of the range of the (possibly randomized) functionality T computed by the 
protocol MPCWithDForRange,, and w G Z n . Then, the probability that in a round i < i* all the values 
that the adversary sees are equal to w is at least (l/2p(rt) • g(n)) 2 . 

Proof: According to the protocol, there are two different ways to produce each value Oj in round i < i*: 
(1) Compute f n on a set of inputs and a set of uniformly selected values from the domain of the functionality, 
and (2) Set Oj as a uniformly selected value from the range of the functionality. We ignore the first case. 
In the second option, with probability l/2p, the value Oj is uniformly selected from the range. Hence, the 
probability that <7j is equal to a specific value is at least l/(2p • g). 

For example, there might not be possible inputs of the corrupt parties causing the honest parties to output such output. 
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It was explained in the proof of Claim IC.2I that in each round of the protocol, A obtains less than 2* 
values. Therefore, we conclude that he probability that all the values that A obtains in round i < i* are all 
equal to w is at least (l/(2p • g)) 2 . □ 

By applying the Claim IC.ll we conclude that the probability of the adversary guessing i* correctly in 
Protocol MPCWithDForRange r is at most (2p -g) 2 jr. In case of a premature termination in round i < i*, 
with probability 1 — l/(2p) in both the ideal world and real world, the value that the honest parties output 
is the evaluation of f n on the inputs of the active parties and random inputs for the parties that aborted. 
However, with probability l/(2p), if premature termination occurs prior to round i*, the output of the 
honest parties Protocol MPCWithDForRange r is a random value from the range of f n ; the simulator fails 
to simulate the execution in this case and outputs _L. Thus, 

SD (IDEAL, REAL) 

< Pr [Premature termination in round i k ] + (l/2p) • Pr [Premature termination before round i*} 

< (2p-gf/r + (l/2p). 

Therefore, the statistical distance is as claimed. □ 



D Proof of Security for the Protocols without the Dealer 

D.l The Simulator for Protocol MPC r 

We next prove that Protocol MPC r is a secure real-world implementation of the (ideal) functionality of 
Protocol MPCWithD r . By Lemma|Cl when r(n) is sufficiently large, Protocol MPCWithD r is a In- 
secure protocol for T . Thus, together we get that Protocol MPC r is a 1/p-secure protocol for T . according 
to the definition appears in Appendix [A] We analyze Protocol MPC r in a hybrid model where there are 3 
ideal functionalities: 

Functionality MultiShareGenWithAbort r . This functionality is an (ideal) execution of Functional- 
ity MultiShareGen r in the secure-with-abort and cheat-detection model. That is, the functionality 
gets a set of inputs. If the adversary sends " abort/' for some corrupt party pj, then this message 
is sent to the honest parties and the execution terminates. Otherwise, Functionality MultiShareGen r 
is executed. Then, the adversary gets the outputs of the corrupt parties. Next, the adversary decides 
whether to halt or to continue: If the adversary decides to continue, it sends a "proceed" message 
and the honest parties are given their outputs. Otherwise, the adversary sends "abort/' for some 
corrupt party pj, and this message is sent to the honest parties. 

Functionality FairMPC. This functionality computes the value f n (xi, . . . , x m ). That is, the functional- 
ity gets a set of inputs. If a party pj sends " abort /' message then xj selected from X n with uniform 
distribution, computes an output of the randomized functionality f n for them, and gives it to all par- 
ties. When this functionality is executed, an honest majority is guaranteed, hence, the functionality 
can be implemented with full security (e.g., with fairness). 

Functionality Reconstruction. This functionality is described in Figure 01 this functionality is used in 
the premature termination step in Protocol MPC r for reconstructing the output value from the shares 
of the previous round. When this functionality is executed, an honest majority is guaranteed, hence, 
the functionality can be implemented with full security (e.g., with fairness). 
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We consider an adversary A in the hybrid model described above, corrupting t < 2m/ 3 of the parties 
that engage in Protocol MPC r . We next describe a simulator S interacting with the honest parties in the 
ideal-world via a trusted party TMPCWithD executing Functionality MPCWithD r . The simulator S runs the 
adversary A internally with black-box access. Simulating A in an execution of the protocol, S corrupts the 
same subset of parties as does A. Denote by B = {ii, . . . , i t } the set of indices of corrupt party. At the end 
of the computation it outputs a possible view of the adversary A. To start the simulation, S invokes A on 
the set of inputs {yj : j £ B}, the security parameter l n , and the auxiliary input aux. 

Simulating the preliminary phase: 

1. Do = 0. 

2. The simulator S receives a set of inputs {xj : j 6 B \ Dq} that A submits to Functionality 
MultiShareGenWithAbortr . 

If a party pj for j € B\ Dq does not submit an input, i.e., sends an " abort/' message, then, 

(a) S sends " abort/' to the trusted party TMPCWithD- 

(b) S updates Dq = D U {j}. 

(c) If | -Do I < m — U then Step © is repeated. 

(d) Otherwise (\Do\ > m — t), simulate premature termination with i = 1. 

3. S prepares outputs for the corrupted parties for Functionality MultiShareGenWithAbort r : The 
simulator S sets a l j = for every J C [m] \ Dq s.t. m — t < \ J\ < t and for all i € {1, ... , r}. 
Then, S follows Step £T|) and Steps [5]-[8] in the computation of Functionality MultiShareGen r 
(skipping the Steps |2J-[H> to obtain shares for the partiesjf] 

4. For each party pj s.t. j € B\ Dq, the simulator S sends to A: 

• The verification key K ver . 

• The masking shares maskj(i?*' J ) for each i S {1, . . . , r} and for every J C [m] \ Dq s.t. 
m — t < | J| < t and j € J. 

• The messages Mj i, . . . , Mj >r . 

5. If A sends an " abort/' for some party pj s.t. j £ B\ Dq to S, then, 

(a) S sends " abort/' to the trusted party TMPCWithD- 

(b) S updates Dq = Dq U {j}. 

(c) If l-Dol < m — t, then Steps |2]42] are repeated. 

(d) Otherwise (\Dq\ > m — t), go to simulating premature termination with i = 1. 
Otherwise (A sends a " continue " message to S), 

(a) The simulator S denotes D = Dq. 

(b) The simulator sends Xj to TMPCWithD f° r every j € B \ Dq (and gets as response a 
"proceed" message). 

Simulating interaction rounds: 

Let J be the collection of subsets J C B \ Dq s.t. m — t < \ J\ < t. I.e., J is the collection of sets of 
indices of active corrupt parties after the simulation of the executions of MultiShareGenWithAbortr 
To simulate round i for i = 1, . . . , r, the simulator S proceeds as follows: 

5 These shares are temporary and will later be open to the actual values obtained from TmpcwuiiD during the interaction rounds 
using the properties of Shamir's secret-sharing scheme. 
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1. S gets from the trusted party TMPcwithD the values that the corrupted parties see. That is, S 
gets a bit r} for each J G JU 

2. The simulator S selects shares for the inner secret-sharing scheme for corrupted parties: For 
every J G J, the simulator S selects uniformly at random shares of r} in a |J|-out-of-|J| 

Shamir secret sharing scheme. Denote these shares by : Pj G 

For each Pj G Qj, let y/' J <- (xj' J , i, J, j, Sign((xj' J , i, J,j), tf sign )). 

3. The simulator 5 selects complementary shares for all honest parties: For every J G J7" and for 
each j G B\ Dq, 

(a) 5 calculates aj = mask^i?*" 7 ) Y- ,J . 

(b) S 1 selects uniformly at random m — t shares of aj uniformly at random over all possible 
selections of m — t shares that are shares of aj together with the \B \ Dq\ — 1 shares 

{com P(? (4 J ) :geB\(D U{j})} 

produced in Step © in the simulation of the preliminary phase. 
(This is possible according to the property of Shamir's scheme) 

Denote by comp q (Yj ,J ) the complementary share that S selects for the honest party p q for 
a party pj s.t. j G (B \ Dq) n J, where J G J. 

4. For party pj and a subset J g' J , let comp (J (i?*' J ) be the complementary share which was 
produced in Step ® in the simulation of the preliminary phase, i.e., comp g (i?*' J ). 

5. Construct signed messages m' { for each honest party p q in round i by concatenating: 

(a) q. 

(b) The round number i. 

(c) The complement shares which were described in Step © above. 

(d) The complement shares comp (Y-' J ) for allJ G J and for all j G J produced in Step © 
for p 9 . 

Then, S signs m^, i.e., S computes M' q i <- (m' q i , Siga(m' q i , K sigll )). 

6. The simulator S sends all the message M' i on behalf of each honest party p q to A. 

7. For every j G B \ Dq s.t. A sends an invalid or no message on behalf of pj, the simulator S 
sends " abort/' to T MPCWithD : 

(a) D = D U {j}. 

(b) If |D| > m — t go to premature termination step. 

(c) Otherwise, the simulator S proceeds to the next round. 

Simulating the premature termination step: 

• If i = 1, then S simulates ^4's interaction with Functionality FairMPC as follows: 

1. S receives from A the inputs of the active corrupt parties. 

2. For every j G B \ D: If pj does not send an input, then S sends " abort/' to TMPCWithD 
else, S sends p/s input to TMPCWithD- 

6 In Steps |2j(5] the simulator 5 constructs the messages of the honest parties in order to allow the corrupted parties in each 
J G J to reconstruct r}. 
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• If i > 1, then S simulates A's interaction with Functionality Reconstruction as follows: 

1. S receives from A the inputs of the active corrupt parties, i.e., p~ s.t. j G B\D. 

2. If an active corrupt party pj, does not send an input, or its input is not appropriately signed 
or malformed, then S sends "abort/' to TkpcwithD- 

• S gets from TMPcwithD a value a and sends it to A. 

• The simulator S outputs the sequence of messages exchanged between S and the adversary A 
and halts. 

Simulating normal termination at the end of round r: 

1. The simulator gets w from the trusted party TMPCWithD- 

2. S constructs all the singed shares of the inner secret-sharing scheme for each J C [m] \ Dq s.t. 
m — t < | J| < t and for each honest party pj G Qj as follows. 

For each J ^ J, the simulator S selects uniformly at random \ J\B\ shares of w uniformly at 
random over all possible selections of | J \ B | shares that together with the | J fl B | given shares 

^R l j J ■ j G -B j (produced in Step (O in the simulation of the preliminary phase) are a sharing 

of w in a | J|-out-of-| J| secret sharing scheme. 

(This is possible according to the property of Shamir's scheme) 

Denote these shares by jxJ' J j. 

For each share X- ' , the simulator concatenates the corresponding identifying details, and signs 
them to obtain: Yp J ^ (X r /,r, J,j, Sign((X;' J , r, JJ),K siga )). 

3. For each honest party pj, the simulator S sends to A the shares Yp for all subsets J, such that 
Pj € Qj. 

4. The simulator S outputs the sequence of messages exchanged between S and the adversary A 
and halts. 

D.2 Proving the Correctness of Protocol MPC r and Protocol MPCForRange r 

It can be proved that Protocol MPC r is a secure implementation of the (ideal) functionality of the dealer's 
in Protocol MPCWithD r . That is, 

Lemma D.l Let t < 2m/ 3. If enhanced trap-door permutations exist, then Protocol MPC r presented in 
Section |i72] is a computationally-secure implementation (with full security) of the dealer functionality in 
Protocol MPCWithD r . 

In (3l, a similar framework to the one used in this paper is used: first a protocol with a dealer for the 
coin-tossing problem is presented and, then, a real-world protocol that is a computationally-secure imple- 
mentation (with full security) of the dealer functionality is described. In Q, a simulator for this protocol 
is given. This simulator is similar to the simulator described in Appendix ID. 11 than a full proof for the 
simulator is provided. As the proof is very similar to the proof of our simulator, we omit the proof. 

To conclude the proof, as MPCWithD r is a 1/p-secure implementation of T and MPC r is a secure 
implementation of the (ideal) functionality of the dealer in Protocol MPCWithD r , by the composition 
theorem of Canetti [[8] we conclude that MPC r 1/p-secure implementation of T. That is, Theorem Q] is 
proved. 

Next, we claim that MPCForRange r is a secure implementation of the (ideal) functionality of the dealer 
in Protocol MPCWithDForRange r . That is, 
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Lemma D.2 Let t < 2m/ 3. If enhanced trap-door permutations exist, then Protocol MPCForRange r . 
described in Section [O] is a computationally-secure implementation (with full security) of the dealer func- 
tionality in Protocol MPCWithDForRange r . 

Proof: Recall that the only difference between Protocol MPC r and Protocol MPCForRange r is in the 
way that the values that the parties see prior round i* are produced, i.e., the difference is in Functional- 
ity MultiShareGen r . Specifically, in Section [331 we presented a modification in Step ([3]) in Functional- 
ity MultiShareGen r in order to get Protocol MPC r from Protocol MPCForRange. Now, observe that 
the simulator presented above does not refer to Step © of Functionality MultiShareGen r in any step. 
Therefore, the simulator presented in Appendix ID. II for Protocol MPC r is also a simulator for Protocol 
MPCForRange r . □ 

Claim |C31 and Lemma IDT21 imply Theorem |2] 
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